提交 e1dbbc59 编写于 作者: L Liping Zhang 提交者: Pablo Neira Ayuso

netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP

In iptables, if the user add a rule to send tcp RST and specify the
non-TCP protocol, such as UDP, kernel will reject this request. But
in nftables, this validity check only occurs in nft tool, i.e. only
in userspace.

This means that user can add such a rule like follows via nfnetlink:
  "nft add rule filter forward ip protocol udp reject with tcp reset"

This will generate some confusing tcp RST packets. So we should send
tcp RST only when it is TCP packet.
Signed-off-by: NLiping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 9847371a
...@@ -24,6 +24,9 @@ const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb, ...@@ -24,6 +24,9 @@ const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET)) if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
return NULL; return NULL;
if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
return NULL;
oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb), oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
sizeof(struct tcphdr), _oth); sizeof(struct tcphdr), _oth);
if (oth == NULL) if (oth == NULL)
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册